-
-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Schema validation fails with git style URL #890
Comments
I would suspect those values are not generated by the tool but read from a source. Where exactly are those invalid uri's in your sbom? Can you provide me steps to reproduce? |
@mtsfoni I will provide a test project to reproduce |
See the bom.xml generated here : https://github.com/Recurse-blip/cyclonedx_giturl/actions/runs/9714725731/job/26814458493 You will see that there is an URL with this content :
It should be converted to a valid URL such as |
The source of the problem is obviously here: https://github.com/LordVeovis/xmlrpc/blob/2f6fc86d85d0eab0f26a73ba9e2a1d0cc9be26f7/Kveer.XmlRPC/Kveer.XmlRPC.csproj#L19 Even if rubbish comes in, this tool should still generate a valid cyclonedx file. I think we should add a check when we fill URLs if they are valid. If it isn't, we could probably delete it (easy solution). Alternatively, somebody could build a system that reliably replaces those, but that adds more complexity. |
doing the same for XML in PHP https://github.com/CycloneDX/cyclonedx-php-library/blob/fab6f93979fc43cb64d0d15d086a565e2b7072d2/src/Core/_helpers/XML.php#L62-L76 anyway, for field where you know it could be a git-ssh address - like externalReference of type VCS, you should not throw the data away, but transform it accordingly. |
It seems that the CycloneDX tools generates invalid URL when generating the SBOM which fails the schema validation when trying to upload the BOM to dependency-track.
This is the error I get :
I think CycloneDX should convert those git style references to something like
git+ssh://...
orgit+http://....git
which are valid URLs.Related issue :
DependencyTrack/dependency-track#3885
CycloneDX/cyclonedx-node-npm#1198
The text was updated successfully, but these errors were encountered: